From 8d89aad94f90fbdde4c8ef777617eb0e595918de Mon Sep 17 00:00:00 2001 From: said-moj <45761276+said-moj@users.noreply.github.com> Date: Tue, 14 May 2024 10:09:12 +0100 Subject: [PATCH 01/98] Add build-and-push workflow --- .github/workflows/build-and-push.yml | 43 ++++++++++++++++++++++++++++ .github/workflows/workflow.yml | 9 ++++++ .gitignore | 1 + Dockerfile | 1 + 4 files changed, 54 insertions(+) create mode 100644 .github/workflows/build-and-push.yml create mode 100644 .github/workflows/workflow.yml create mode 100644 Dockerfile diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml new file mode 100644 index 000000000..577d1189b --- /dev/null +++ b/.github/workflows/build-and-push.yml @@ -0,0 +1,43 @@ +name: Build and Push image +on: + workflow_call: + inputs: + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + + +jobs: + ecr: + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + # Checkout GitHub repository + - uses: actions/checkout@v3 + + # Assume role in Cloud Platform + - uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} + aws-region: ${{ inputs.ECR_REGION }} + + # Login to container repository + - uses: aws-actions/amazon-ecr-login@v1 + id: login-ecr + + # Build and push a Docker image to the container repository + - run: | + docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . + docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG + env: + REGISTRY: ${{ steps.login-ecr.outputs.registry }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + IMAGE_TAG: ${{ github.sha }} \ No newline at end of file diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml new file mode 100644 index 000000000..87c10fe28 --- /dev/null +++ b/.github/workflows/workflow.yml @@ -0,0 +1,9 @@ +on: push +jobs: + build-and-push: + uses: ./.github/workflows/build-and-push.yml + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} diff --git a/.gitignore b/.gitignore index aa69ef32f..00dcd188e 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ env/ *.code-workspace *.sha256 terraform.tfstate +.idea diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..bee3c167c --- /dev/null +++ b/Dockerfile @@ -0,0 +1 @@ +FROM python:3.12-slim From ec55a4f8eee4209e60b88ca38346f55cf046f7f9 Mon Sep 17 00:00:00 2001 From: said-moj <45761276+said-moj@users.noreply.github.com> Date: Tue, 14 May 2024 12:15:13 +0100 Subject: [PATCH 02/98] Add ruff code formatting and linting job --- .github/workflows/workflow.yml | 9 +++++++++ src/test.py | 0 2 files changed, 9 insertions(+) create mode 100644 src/test.py diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 87c10fe28..3dfd9a435 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -1,5 +1,14 @@ on: push jobs: + linting-and-formatting: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: chartboost/ruff-action@v1 + with: + args: check --output-format=github + src: './src' + build-and-push: uses: ./.github/workflows/build-and-push.yml with: diff --git a/src/test.py b/src/test.py new file mode 100644 index 000000000..e69de29bb From 6c265b29b791984a6adfb417c9409f398a644d85 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Tue, 14 May 2024 15:47:34 +0100 Subject: [PATCH 03/98] Added inital helm chart --- .../laa-access-civil-legal-aid/.helmignore | 23 ++++++ .../laa-access-civil-legal-aid/Chart.yaml | 19 +++++ .../templates/NOTES.txt | 22 ++++++ .../templates/_helpers.tpl | 62 ++++++++++++++++ .../templates/deployment.yaml | 72 +++++++++++++++++++ .../templates/ingress.yaml | 61 ++++++++++++++++ .../templates/service.yaml | 15 ++++ .../templates/tests/test-connection.yaml | 15 ++++ .../values/values-dev.yaml | 12 ++++ .../values/values-production.yaml | 10 +++ .../values/values-staging.yaml | 10 +++ .../values/values-uat.yaml | 15 ++++ .../values/values.yaml | 47 ++++++++++++ 13 files changed, 383 insertions(+) create mode 100644 helm_deploy/laa-access-civil-legal-aid/.helmignore create mode 100644 helm_deploy/laa-access-civil-legal-aid/Chart.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/templates/NOTES.txt create mode 100644 helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl create mode 100644 helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/templates/service.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/templates/tests/test-connection.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/values/values-production.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/values/values-staging.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/values/values-uat.yaml create mode 100644 helm_deploy/laa-access-civil-legal-aid/values/values.yaml diff --git a/helm_deploy/laa-access-civil-legal-aid/.helmignore b/helm_deploy/laa-access-civil-legal-aid/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm_deploy/laa-access-civil-legal-aid/Chart.yaml b/helm_deploy/laa-access-civil-legal-aid/Chart.yaml new file mode 100644 index 000000000..02f6a1059 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: laa-access-civil-legal-aid +description: A web service used by the public to get access to civil legal aid services. + +# A chart can be either an 'application' or a 'library' chart. +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/NOTES.txt b/helm_deploy/laa-access-civil-legal-aid/templates/NOTES.txt new file mode 100644 index 000000000..80e9f863a --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "laa-access-civil-legal-aid.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "laa-access-civil-legal-aid.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "laa-access-civil-legal-aid.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "laa-access-civil-legal-aid.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl b/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl new file mode 100644 index 000000000..290868b96 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "laa-access-civil-legal-aid.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "laa-access-civil-legal-aid.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "laa-access-civil-legal-aid.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "laa-access-civil-legal-aid.labels" -}} +helm.sh/chart: {{ include "laa-access-civil-legal-aid.chart" . }} +{{ include "laa-access-civil-legal-aid.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "laa-access-civil-legal-aid.selectorLabels" -}} +app.kubernetes.io/name: {{ include "laa-access-civil-legal-aid.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "laa-access-civil-legal-aid.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "laa-access-civil-legal-aid.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml new file mode 100644 index 000000000..7cd2cda18 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "laa-access-civil-legal-aid.fullname" . }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "laa-access-civil-legal-aid.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "laa-access-civil-legal-aid.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml new file mode 100644 index 000000000..bed3990eb --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "laa-access-civil-legal-aid.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml new file mode 100644 index 000000000..bddc98272 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "laa-access-civil-legal-aid.fullname" . }} + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "laa-access-civil-legal-aid.selectorLabels" . | nindent 4 }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/tests/test-connection.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/tests/test-connection.yaml new file mode 100644 index 000000000..1cac5b58b --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "laa-access-civil-legal-aid.fullname" . }}-test-connection" + labels: + {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "laa-access-civil-legal-aid.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml new file mode 100644 index 000000000..8f2139044 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -0,0 +1,12 @@ +# Default values for laa-access-civil-legal-aid in the dev environment. +# The laa-access-civil-legal-aid-dev namespace installs an new helm release per feature branch +# this is then uninstalled when the branch is merged. +environment: "dev" + +ingress: + enabled: false + +# Lists don't deep merge, so this list of envVars overrides anything defined in an earlier values file +envVars: + DEBUG: + value: "True" diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-production.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-production.yaml new file mode 100644 index 000000000..81297d9ef --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-production.yaml @@ -0,0 +1,10 @@ +# Default values for cla-backend in the production environment. +environment: "production" + +ingress: + enabled: true + hosts: + - host: "access-civil-legal-aid.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-staging.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-staging.yaml new file mode 100644 index 000000000..256ccef37 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-staging.yaml @@ -0,0 +1,10 @@ +# Default values for cla-backend in the staging environment. +environment: "staging" + +ingress: + enabled: true + hosts: + - host: "access-civil-legal-aid-staging.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-uat.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-uat.yaml new file mode 100644 index 000000000..c971156b5 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-uat.yaml @@ -0,0 +1,15 @@ +# Default values for laa-access-civil-legal-aid in the uat environment. +environment: "uat" + +ingress: + enabled: true + hosts: + - host: "access-civil-legal-aid-uat.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific + +# Lists don't deep merge, so this list of envVars overrides anything defined in an earlier values file +envVars: + DEBUG: + value: "True" diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values.yaml new file mode 100644 index 000000000..6dce98b89 --- /dev/null +++ b/helm_deploy/laa-access-civil-legal-aid/values/values.yaml @@ -0,0 +1,47 @@ +# Default values for laa-access-civil-legal-aid. +# These can be overwritten by values defined in environment specific values files. +replicaCount: 1 + +image: + repository: laa-access-civil-legal-aid + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: latest + +imagePullSecrets: [] + +podAnnotations: {} +podLabels: {} + +podSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + +securityContext: {} + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + tls: [] + whitelist: + # GlobalProtect VPN (Digital Mac) + - 18.169.147.172/32 + - 35.176.93.186/32 + - 18.130.148.126/32 + - 35.176.148.126/32 + +resources: {} + +volumes: [] + +volumeMounts: [] +nodeSelector: {} + +tolerations: [] + +affinity: {} From d04397a46913321c18753eb8d12747a406078b12 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 15:34:54 +0100 Subject: [PATCH 04/98] Give the Workflow a name --- .github/workflows/workflow.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 3dfd9a435..827c5838b 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -1,4 +1,9 @@ +name: Build, Test and Deploy + +run-name: Build, Test and Deploy ${{ github.ref_name }} + on: push + jobs: linting-and-formatting: runs-on: ubuntu-latest From bb03f1467156f6c6ec0f8c688b425f9386e7ca54 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 15:36:55 +0100 Subject: [PATCH 05/98] Gave the jobs names --- .github/workflows/workflow.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 827c5838b..dbe10f1e8 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -6,6 +6,7 @@ on: push jobs: linting-and-formatting: + name: Linting and Formatting runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -15,6 +16,7 @@ jobs: src: './src' build-and-push: + name: Build and Push to ECR uses: ./.github/workflows/build-and-push.yml with: ECR_REGION: ${{vars.ECR_REGION}} From 762cf7cffd67d9f04efc5efe2888fff2f46f7894 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 15:44:40 +0100 Subject: [PATCH 06/98] Only build if linting and formatting has passed --- .github/workflows/workflow.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index dbe10f1e8..9f0f335b2 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -16,8 +16,9 @@ jobs: src: './src' build-and-push: - name: Build and Push to ECR + name: Build and Push uses: ./.github/workflows/build-and-push.yml + needs: linting-and-formatting with: ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} From b5acb2438ce0f00e65c8369c5bf37d46620ade45 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 15:49:16 +0100 Subject: [PATCH 07/98] Renamed jobs --- .github/workflows/build-and-push.yml | 5 ++++- .github/workflows/workflow.yml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 577d1189b..f66ff423c 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -14,7 +14,8 @@ on: jobs: - ecr: + build-and-push-to-ecr: + name: Build and Push to ECR runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT @@ -32,6 +33,8 @@ jobs: # Login to container repository - uses: aws-actions/amazon-ecr-login@v1 id: login-ecr + with: + mask-password: true # Build and push a Docker image to the container repository - run: | diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 9f0f335b2..80b438285 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -16,7 +16,7 @@ jobs: src: './src' build-and-push: - name: Build and Push + name: Build uses: ./.github/workflows/build-and-push.yml needs: linting-and-formatting with: From 251ef9e9e74d6849434c53fc69f3a41622348715 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 15:52:07 +0100 Subject: [PATCH 08/98] Update the GitHub actions in the build and push workflow --- .github/workflows/build-and-push.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index f66ff423c..b885eaa7f 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -22,16 +22,16 @@ jobs: contents: read # This is required for actions/checkout steps: # Checkout GitHub repository - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # Assume role in Cloud Platform - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} aws-region: ${{ inputs.ECR_REGION }} # Login to container repository - - uses: aws-actions/amazon-ecr-login@v1 + - uses: aws-actions/amazon-ecr-login@v2 id: login-ecr with: mask-password: true From f54f732adf242da70155a47a9716de0265c8cb15 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 16:32:06 +0100 Subject: [PATCH 09/98] Add deploy step --- .github/workflows/deploy.yml | 168 +++++++++++++++++++++++++++++++++ .github/workflows/workflow.yml | 10 ++ 2 files changed, 178 insertions(+) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 000000000..8c3cea936 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,168 @@ +name: Deploy image to cluster +on: + workflow_call: + inputs: + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + + +jobs: + dev: + name: Deploy to Dev + environment: dev + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${KUBE_CERT}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + run: | + helm upgrade laa-access-civil-legal-aid \ + $HELM_DIR \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values-staging.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install + + uat: + name: Deploy to UAT + environment: uat + needs: dev + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${KUBE_CERT}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + run: | + helm upgrade laa-access-civil-legal-aid \ + $HELM_DIR \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values-staging.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install + + staging: + name: Deploy to Staging + needs: uat + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${KUBE_CERT}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + run: | + helm upgrade laa-access-civil-legal-aid \ + $HELM_DIR \ + --namespace=${KUBE_NAMESPACE} \ + --values ${HELM_DIR}/values-staging.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install + + production: + name: Deploy to Production + needs: staging + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${KUBE_CERT}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + run: | + helm upgrade laa-access-civil-legal-aid \ + $HELM_DIR \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values-staging.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install \ No newline at end of file diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 80b438285..02cefb2d2 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -24,3 +24,13 @@ jobs: ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + + deploy: + name: Deploy + uses: ./.github/workflows/deploy.yml + needs: build-and-push + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} From 8ba8d6370259df8ee0e8da0b5aef469e6108937e Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 16:39:55 +0100 Subject: [PATCH 10/98] Modified cluster authentication step --- .github/workflows/deploy.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8c3cea936..aa88d0f71 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -27,14 +27,13 @@ jobs: - name: Authenticate to the cluster env: - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} run: | - echo "${KUBE_CERT}" > ca.crt + echo "${{ secrets.KUBE_CERT }}" > ca.crt kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} kubectl config use-context ${KUBE_CLUSTER} - name: Upgrade the Helm chart From b06f2f30ae2c08a12e7a815f3cea41c6e3d97ff4 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 16:45:06 +0100 Subject: [PATCH 11/98] Add secrets to deploy call --- .github/workflows/deploy.yml | 8 ++++++++ .github/workflows/workflow.yml | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index aa88d0f71..1a425af0e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,6 +11,14 @@ on: secrets: ECR_ROLE_TO_ASSUME: required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true jobs: diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 02cefb2d2..d5c72fcfb 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -34,3 +34,7 @@ jobs: ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} From efcaff27919ff4412267bbb60d7714f59ec30736 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 16:50:47 +0100 Subject: [PATCH 12/98] Wrap env var in curly braces --- .github/workflows/deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1a425af0e..04ad74ebc 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -48,10 +48,10 @@ jobs: env: IMAGE_TAG: ${{ github.sha }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + HELM_DIR: "${ROOT}/../helm_deploy/laa-access-civil-legal-aid/" run: | helm upgrade laa-access-civil-legal-aid \ - $HELM_DIR \ + ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ --values ${HELM_DIR}/values-staging.yaml \ --set image.repository=$REPOSITORY \ From 3ac0bc4603eb29e882007c26a0fedcc4ecf4f2ba Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 16:53:34 +0100 Subject: [PATCH 13/98] Change repo path --- .github/workflows/deploy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 04ad74ebc..be423da81 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -48,8 +48,9 @@ jobs: env: IMAGE_TAG: ${{ github.sha }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "${ROOT}/../helm_deploy/laa-access-civil-legal-aid/" + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" run: | + ls helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ From 46085079cfc3c1489e2744ba9c048f719d15f9d9 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:04:15 +0100 Subject: [PATCH 14/98] Uses values directory --- .github/workflows/deploy.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index be423da81..a6a9b20e7 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -54,7 +54,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values-staging.yaml \ + --values ${HELM_DIR}/values/values-dev.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ @@ -93,7 +93,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ $HELM_DIR \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values-staging.yaml \ + --values ${HELM_DIR}/values/values-uat.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ @@ -131,7 +131,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ $HELM_DIR \ --namespace=${KUBE_NAMESPACE} \ - --values ${HELM_DIR}/values-staging.yaml \ + --values ${HELM_DIR}/values/values-staging.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ @@ -169,7 +169,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ $HELM_DIR \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values-staging.yaml \ + --values ${HELM_DIR}/values/values-production.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ From b133cdd03bd3922a752ba049ff4e5922d2799d02 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:07:45 +0100 Subject: [PATCH 15/98] Set nameOverride and fullnameOverride to nothing --- helm_deploy/laa-access-civil-legal-aid/values/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values.yaml index 6dce98b89..436f26aa4 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values/values.yaml @@ -9,6 +9,8 @@ image: tag: latest imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" podAnnotations: {} podLabels: {} From f9f6f2066e538a20876fd086320561cbc94ceb33 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:13:56 +0100 Subject: [PATCH 16/98] Moved values.yaml --- helm_deploy/laa-access-civil-legal-aid/{values => }/values.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename helm_deploy/laa-access-civil-legal-aid/{values => }/values.yaml (100%) diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml similarity index 100% rename from helm_deploy/laa-access-civil-legal-aid/values/values.yaml rename to helm_deploy/laa-access-civil-legal-aid/values.yaml From d1e27449ba4df9bfea18edfbd4b66a48950cf6ff Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:16:01 +0100 Subject: [PATCH 17/98] Disable autoscaling --- helm_deploy/laa-access-civil-legal-aid/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 436f26aa4..cac1d4dd6 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -39,6 +39,9 @@ ingress: resources: {} +autoscaling: + enabled: false + volumes: [] volumeMounts: [] From 812c4dd80f1175779c0cd612c3abfebf39ea4790 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:20:49 +0100 Subject: [PATCH 18/98] Disable creating a service account --- helm_deploy/laa-access-civil-legal-aid/values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index cac1d4dd6..8bb5f0256 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -12,6 +12,10 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +serviceAccount: + # We already have a serviceaccount so we don't want to create another. + create: false + podAnnotations: {} podLabels: {} From 66d2b1049a549341eb6a6261777ab27a77e89196 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:27:57 +0100 Subject: [PATCH 19/98] Updated helm upgrade step for other environments --- .github/workflows/deploy.yml | 42 ++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a6a9b20e7..10c17d556 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -50,7 +50,6 @@ jobs: REPOSITORY: ${{ inputs.ECR_REPOSITORY }} HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" run: | - ls helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ @@ -74,13 +73,12 @@ jobs: - name: Authenticate to the cluster env: - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} run: | - echo "${KUBE_CERT}" > ca.crt + echo "${{ secrets.KUBE_CERT }}" > ca.crt kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} kubectl config use-context ${KUBE_CLUSTER} @@ -88,12 +86,12 @@ jobs: env: IMAGE_TAG: ${{ github.sha }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" run: | helm upgrade laa-access-civil-legal-aid \ - $HELM_DIR \ + ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-uat.yaml \ + --values ${HELM_DIR}/values/values-dev.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ @@ -112,25 +110,24 @@ jobs: - name: Authenticate to the cluster env: - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} run: | - echo "${KUBE_CERT}" > ca.crt + echo "${{ secrets.KUBE_CERT }}" > ca.crt kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} kubectl config use-context ${KUBE_CLUSTER} - name: Upgrade the Helm chart env: IMAGE_TAG: ${{ github.sha }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" run: | helm upgrade laa-access-civil-legal-aid \ - $HELM_DIR \ - --namespace=${KUBE_NAMESPACE} \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ --values ${HELM_DIR}/values/values-staging.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ @@ -150,24 +147,23 @@ jobs: - name: Authenticate to the cluster env: - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} run: | - echo "${KUBE_CERT}" > ca.crt + echo "${{ secrets.KUBE_CERT }}" > ca.crt kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${KUBE_TOKEN} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} kubectl config use-context ${KUBE_CLUSTER} - name: Upgrade the Helm chart env: IMAGE_TAG: ${{ github.sha }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "$ROOT/../helm_deploy/laa-access-civil-legal-aid/" + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" run: | helm upgrade laa-access-civil-legal-aid \ - $HELM_DIR \ + ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ --values ${HELM_DIR}/values/values-production.yaml \ --set image.repository=$REPOSITORY \ From d132408d2bcfab162a722cfe63723d67e06c2678 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:34:25 +0100 Subject: [PATCH 20/98] Added additional environment tags --- .github/workflows/deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 10c17d556..954bd0962 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -99,6 +99,7 @@ jobs: staging: name: Deploy to Staging + environment: staging needs: uat runs-on: ubuntu-latest permissions: @@ -136,6 +137,7 @@ jobs: production: name: Deploy to Production + environment: production needs: staging runs-on: ubuntu-latest permissions: From 04c8e9e3ec619ad7dd13f4221f0603361d6084d0 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 17:40:30 +0100 Subject: [PATCH 21/98] Only run staging and production jobs on main --- .github/workflows/deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 954bd0962..5be442bc5 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -101,6 +101,7 @@ jobs: name: Deploy to Staging environment: staging needs: uat + if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT @@ -139,6 +140,7 @@ jobs: name: Deploy to Production environment: production needs: staging + if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT From 25f09d8fe3b4c35bca83525e1ef164440a88dcb5 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 18:29:22 +0100 Subject: [PATCH 22/98] Updated job dependencies --- .github/workflows/deploy.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 5be442bc5..a048352d2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -61,7 +61,6 @@ jobs: uat: name: Deploy to UAT - environment: uat needs: dev runs-on: ubuntu-latest permissions: @@ -100,7 +99,6 @@ jobs: staging: name: Deploy to Staging environment: staging - needs: uat if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest permissions: From 7b0ef104c05b883447d42a7162e3c82943c35845 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 18:30:08 +0100 Subject: [PATCH 23/98] Remove dependency on dev from UAT --- .github/workflows/deploy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a048352d2..aedcd4074 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -61,7 +61,6 @@ jobs: uat: name: Deploy to UAT - needs: dev runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT From 6dd87f3cc8f290f1a8bc90726e896d9a4cd1f0be Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 18:32:05 +0100 Subject: [PATCH 24/98] Add back uat environment requirement --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index aedcd4074..b575cb473 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -61,6 +61,7 @@ jobs: uat: name: Deploy to UAT + environment: uat runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT From 31d14b96d5b5b3d9513b1194d1833b768e4ccf31 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 19:15:01 +0100 Subject: [PATCH 25/98] Make deploy workflow modular --- .github/workflows/deploy.yml | 125 ++------------------------------- .github/workflows/workflow.yml | 1 + 2 files changed, 8 insertions(+), 118 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b575cb473..252b23742 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -2,6 +2,9 @@ name: Deploy image to cluster on: workflow_call: inputs: + environment: + required: True + type: string ECR_REGION: required: true type: string @@ -22,123 +25,9 @@ on: jobs: - dev: - name: Deploy to Dev - environment: dev - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install - - uat: - name: Deploy to UAT - environment: uat - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install - - staging: - name: Deploy to Staging - environment: staging - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-staging.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install - - production: - name: Deploy to Production - environment: production - needs: staging - if: github.ref == 'refs/heads/main' + deploy: + name: Deploy to ${{ inputs.environment }} + environment: ${{ inputs.environment }} runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT @@ -167,7 +56,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-production.yaml \ + --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index d5c72fcfb..9a4b0ed72 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -30,6 +30,7 @@ jobs: uses: ./.github/workflows/deploy.yml needs: build-and-push with: + environment: dev ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: From 03ba3cfd343ce014164f65f07c80cb785a163570 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 19:46:27 +0100 Subject: [PATCH 26/98] Revert "Make deploy workflow modular" This reverts commit 31d14b96d5b5b3d9513b1194d1833b768e4ccf31. --- .github/workflows/deploy.yml | 125 +++++++++++++++++++++++++++++++-- .github/workflows/workflow.yml | 1 - 2 files changed, 118 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 252b23742..b575cb473 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -2,9 +2,6 @@ name: Deploy image to cluster on: workflow_call: inputs: - environment: - required: True - type: string ECR_REGION: required: true type: string @@ -25,9 +22,123 @@ on: jobs: - deploy: - name: Deploy to ${{ inputs.environment }} - environment: ${{ inputs.environment }} + dev: + name: Deploy to Dev + environment: dev + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-dev.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install + + uat: + name: Deploy to UAT + environment: uat + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-dev.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install + + staging: + name: Deploy to Staging + environment: staging + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-staging.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install + + production: + name: Deploy to Production + environment: production + needs: staging + if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT @@ -56,7 +167,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ + --values ${HELM_DIR}/values/values-production.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 9a4b0ed72..d5c72fcfb 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -30,7 +30,6 @@ jobs: uses: ./.github/workflows/deploy.yml needs: build-and-push with: - environment: dev ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: From 15c399241c41d6d63c1955fea29c3c33e92f8560 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 21:49:54 +0100 Subject: [PATCH 27/98] Broke deploy steps into different files --- .github/workflows/deploy.yml | 174 ------------------------------- .github/workflows/dev.yml | 60 +++++++++++ .github/workflows/production.yml | 60 +++++++++++ .github/workflows/staging.yml | 60 +++++++++++ .github/workflows/uat.yml | 60 +++++++++++ .github/workflows/workflow.yml | 48 ++++++++- 6 files changed, 286 insertions(+), 176 deletions(-) delete mode 100644 .github/workflows/deploy.yml create mode 100644 .github/workflows/dev.yml create mode 100644 .github/workflows/production.yml create mode 100644 .github/workflows/staging.yml create mode 100644 .github/workflows/uat.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index b575cb473..000000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,174 +0,0 @@ -name: Deploy image to cluster -on: - workflow_call: - inputs: - ECR_REGION: - required: true - type: string - ECR_REPOSITORY: - required: true - type: string - secrets: - ECR_ROLE_TO_ASSUME: - required: true - KUBE_CERT: - required: true - KUBE_CLUSTER: - required: true - KUBE_NAMESPACE: - required: true - KUBE_TOKEN: - required: true - - -jobs: - dev: - name: Deploy to Dev - environment: dev - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install - - uat: - name: Deploy to UAT - environment: uat - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install - - staging: - name: Deploy to Staging - environment: staging - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-staging.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install - - production: - name: Deploy to Production - environment: production - needs: staging - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-production.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install \ No newline at end of file diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml new file mode 100644 index 000000000..101571601 --- /dev/null +++ b/.github/workflows/dev.yml @@ -0,0 +1,60 @@ +name: Deploy image to the dev environment +on: + workflow_call: + inputs: + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true + + +jobs: + dev: + name: Dev + environment: dev + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-dev.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml new file mode 100644 index 000000000..01d15b1ce --- /dev/null +++ b/.github/workflows/production.yml @@ -0,0 +1,60 @@ +name: Deploy image to the production environment +on: + workflow_call: + inputs: + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true + + +jobs: + production: + name: Production + environment: production + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-dev.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml new file mode 100644 index 000000000..9f302a4d0 --- /dev/null +++ b/.github/workflows/staging.yml @@ -0,0 +1,60 @@ +name: Deploy image to the staging environment +on: + workflow_call: + inputs: + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true + + +jobs: + staging: + name: Staging + environment: staging + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-dev.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install diff --git a/.github/workflows/uat.yml b/.github/workflows/uat.yml new file mode 100644 index 000000000..03c88f46f --- /dev/null +++ b/.github/workflows/uat.yml @@ -0,0 +1,60 @@ +name: Deploy image to the UAT environment +on: + workflow_call: + inputs: + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true + + +jobs: + uat: + name: UAT + environment: uat + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + run: | + helm upgrade laa-access-civil-legal-aid \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-dev.yaml \ + --set image.repository=$REPOSITORY \ + --set image.tag=$IMAGE_TAG \ + --force \ + --install \ No newline at end of file diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index d5c72fcfb..c541468e4 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -25,9 +25,53 @@ jobs: secrets: ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} - deploy: + deploy-dev: name: Deploy - uses: ./.github/workflows/deploy.yml + uses: ./.github/workflows/deploy/dev.yml + needs: build-and-push + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + + deploy-uat: + name: Deploy + uses: ./.github/workflows/deploy/uat.yml + needs: build-and-push + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + + deploy-staging: + name: Deploy + uses: ./.github/workflows/deploy/uat.yml + if: github.ref == 'refs/heads/master' + needs: build-and-push + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + + deploy-production: + name: Deploy + uses: ./.github/workflows/deploy/production.yml + if: github.ref == 'refs/heads/master' needs: build-and-push with: ECR_REGION: ${{vars.ECR_REGION}} From 6f07112e2e3fdabc915802a58a6b0fa2d5e29779 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 21:52:09 +0100 Subject: [PATCH 28/98] Refactored deploy into a reusable step --- .github/workflows/{dev.yml => deploy.yml} | 11 +++-- .github/workflows/production.yml | 60 ----------------------- .github/workflows/staging.yml | 60 ----------------------- .github/workflows/uat.yml | 60 ----------------------- .github/workflows/workflow.yml | 22 +++++---- 5 files changed, 20 insertions(+), 193 deletions(-) rename .github/workflows/{dev.yml => deploy.yml} (89%) delete mode 100644 .github/workflows/production.yml delete mode 100644 .github/workflows/staging.yml delete mode 100644 .github/workflows/uat.yml diff --git a/.github/workflows/dev.yml b/.github/workflows/deploy.yml similarity index 89% rename from .github/workflows/dev.yml rename to .github/workflows/deploy.yml index 101571601..2cb772b7d 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/deploy.yml @@ -2,6 +2,9 @@ name: Deploy image to the dev environment on: workflow_call: inputs: + environment: + required: true + type: string ECR_REGION: required: true type: string @@ -22,9 +25,9 @@ on: jobs: - dev: - name: Dev - environment: dev + deploy: + name: Deploy + environment: ${{ input.environment }} runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT @@ -53,7 +56,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ + --values ${HELM_DIR}/values/values-${{ input.environment }}.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml deleted file mode 100644 index 01d15b1ce..000000000 --- a/.github/workflows/production.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Deploy image to the production environment -on: - workflow_call: - inputs: - ECR_REGION: - required: true - type: string - ECR_REPOSITORY: - required: true - type: string - secrets: - ECR_ROLE_TO_ASSUME: - required: true - KUBE_CERT: - required: true - KUBE_CLUSTER: - required: true - KUBE_NAMESPACE: - required: true - KUBE_TOKEN: - required: true - - -jobs: - production: - name: Production - environment: production - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml deleted file mode 100644 index 9f302a4d0..000000000 --- a/.github/workflows/staging.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Deploy image to the staging environment -on: - workflow_call: - inputs: - ECR_REGION: - required: true - type: string - ECR_REPOSITORY: - required: true - type: string - secrets: - ECR_ROLE_TO_ASSUME: - required: true - KUBE_CERT: - required: true - KUBE_CLUSTER: - required: true - KUBE_NAMESPACE: - required: true - KUBE_TOKEN: - required: true - - -jobs: - staging: - name: Staging - environment: staging - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install diff --git a/.github/workflows/uat.yml b/.github/workflows/uat.yml deleted file mode 100644 index 03c88f46f..000000000 --- a/.github/workflows/uat.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Deploy image to the UAT environment -on: - workflow_call: - inputs: - ECR_REGION: - required: true - type: string - ECR_REPOSITORY: - required: true - type: string - secrets: - ECR_ROLE_TO_ASSUME: - required: true - KUBE_CERT: - required: true - KUBE_CLUSTER: - required: true - KUBE_NAMESPACE: - required: true - KUBE_TOKEN: - required: true - - -jobs: - uat: - name: UAT - environment: uat - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - steps: - - name: Checkout GitHub repository - uses: actions/checkout@v4 - - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} - kubectl config use-context ${KUBE_CLUSTER} - - - name: Upgrade the Helm chart - env: - IMAGE_TAG: ${{ github.sha }} - REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - run: | - helm upgrade laa-access-civil-legal-aid \ - ${HELM_DIR} \ - --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-dev.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ - --force \ - --install \ No newline at end of file diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index c541468e4..197f637d5 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -26,10 +26,11 @@ jobs: ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} deploy-dev: - name: Deploy - uses: ./.github/workflows/deploy/dev.yml + name: Dev + uses: ./.github/workflows/deploy.yml needs: build-and-push with: + environment: dev ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: @@ -40,10 +41,11 @@ jobs: KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} deploy-uat: - name: Deploy - uses: ./.github/workflows/deploy/uat.yml + name: UAT + uses: ./.github/workflows/deploy.yml needs: build-and-push with: + environment: uat ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: @@ -54,11 +56,12 @@ jobs: KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} deploy-staging: - name: Deploy - uses: ./.github/workflows/deploy/uat.yml + name: Staging + uses: ./.github/workflows/deploy.yml if: github.ref == 'refs/heads/master' needs: build-and-push with: + environment: staging ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: @@ -69,11 +72,12 @@ jobs: KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} deploy-production: - name: Deploy - uses: ./.github/workflows/deploy/production.yml + name: Production + uses: ./.github/workflows/deploy.yml if: github.ref == 'refs/heads/master' - needs: build-and-push + needs: deploy-staging with: + environment: production ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} secrets: From 66f29e310ec8b18c47c99f07fd4e211ce34342bd Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 22:08:48 +0100 Subject: [PATCH 29/98] Added ingres annotations --- .github/workflows/deploy.yml | 4 ++-- .../laa-access-civil-legal-aid/templates/ingress.yaml | 2 ++ helm_deploy/laa-access-civil-legal-aid/values.yaml | 8 ++++++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2cb772b7d..3da9ca257 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -27,7 +27,7 @@ on: jobs: deploy: name: Deploy - environment: ${{ input.environment }} + environment: ${{ inputs.environment }} runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT @@ -56,7 +56,7 @@ jobs: helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ - --values ${HELM_DIR}/values/values-${{ input.environment }}.yaml \ + --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ --set image.repository=$REPOSITORY \ --set image.tag=$IMAGE_TAG \ --force \ diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml index bed3990eb..e66eb5197 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -20,6 +20,8 @@ metadata: {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: + external-dns.alpha.kubernetes.io/set-identifier: "{{ $fullName }}-{{ .Release.Namespace }}-{{- .Values.ingress.cluster.name -}}", + external-dns.alpha.kubernetes.io/aws-weight: "{{- .Values.ingress.cluster.weight -}}" {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 8bb5f0256..46d0465f1 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -19,9 +19,10 @@ serviceAccount: podAnnotations: {} podLabels: {} -podSecurityContext: - runAsNonRoot: true +podSecurityContext: { + runAsNonRoot: true, allowPrivilegeEscalation: false +} securityContext: {} @@ -33,6 +34,9 @@ ingress: enabled: false className: "" annotations: {} + cluster: + name: ~ + weight: ~ tls: [] whitelist: # GlobalProtect VPN (Digital Mac) From 3b66c37b60de3e8e9de94ae82d6c8aa076ad6243 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 22:46:20 +0100 Subject: [PATCH 30/98] Set cluster name and weight --- .../laa-access-civil-legal-aid/templates/ingress.yaml | 8 +++++--- helm_deploy/laa-access-civil-legal-aid/values.yaml | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml index e66eb5197..23623ed13 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -18,12 +18,14 @@ metadata: name: {{ $fullName }} labels: {{- include "laa-access-civil-legal-aid.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} annotations: - external-dns.alpha.kubernetes.io/set-identifier: "{{ $fullName }}-{{ .Release.Namespace }}-{{- .Values.ingress.cluster.name -}}", + {{- if .Values.ingress.cluster.name }} + external-dns.alpha.kubernetes.io/set-identifier: "{{ $fullName }}-{{ .Release.Namespace }}-{{- .Values.ingress.cluster.name -}}" external-dns.alpha.kubernetes.io/aws-weight: "{{- .Values.ingress.cluster.weight -}}" + {{- end }} + {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 46d0465f1..83e608cb5 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -35,8 +35,8 @@ ingress: className: "" annotations: {} cluster: - name: ~ - weight: ~ + name: green + weight: '100' tls: [] whitelist: # GlobalProtect VPN (Digital Mac) From afa60c8d6ff78e248eb6742268978692ad56e63b Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 23:03:03 +0100 Subject: [PATCH 31/98] Name the workflow after the branch --- .github/workflows/workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 197f637d5..16130b00a 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -1,4 +1,4 @@ -name: Build, Test and Deploy +name: ${{ github.ref_name }} run-name: Build, Test and Deploy ${{ github.ref_name }} From 09d2db43740f098b4e00e79a55cfb74dc8b64cc3 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 23:03:26 +0100 Subject: [PATCH 32/98] Revert "Name the workflow after the branch" This reverts commit afa60c8d6ff78e248eb6742268978692ad56e63b. --- .github/workflows/workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 16130b00a..197f637d5 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -1,4 +1,4 @@ -name: ${{ github.ref_name }} +name: Build, Test and Deploy run-name: Build, Test and Deploy ${{ github.ref_name }} From a1d7c30f764e30c40821fbbbcfbd18318235ed19 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Wed, 15 May 2024 23:27:24 +0100 Subject: [PATCH 33/98] Renamed run name to the name of the branch --- .github/workflows/workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 197f637d5..7cf0dc4af 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -1,6 +1,6 @@ name: Build, Test and Deploy -run-name: Build, Test and Deploy ${{ github.ref_name }} +run-name: ${{ github.ref_name }} on: push From 02d0698b525367edb55d639af6291a67098ee902 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 10:56:00 +0100 Subject: [PATCH 34/98] Add two workflows depending on branch --- .../{build-and-push.yml => build.yml} | 0 .github/workflows/feature-branch.yml | 53 +++++++++++++++++++ .../{workflow.yml => main-branch.yml} | 49 +++-------------- .github/workflows/static-analysis.yml | 13 +++++ 4 files changed, 74 insertions(+), 41 deletions(-) rename .github/workflows/{build-and-push.yml => build.yml} (100%) create mode 100644 .github/workflows/feature-branch.yml rename .github/workflows/{workflow.yml => main-branch.yml} (52%) create mode 100644 .github/workflows/static-analysis.yml diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build.yml similarity index 100% rename from .github/workflows/build-and-push.yml rename to .github/workflows/build.yml diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml new file mode 100644 index 000000000..264901c3a --- /dev/null +++ b/.github/workflows/feature-branch.yml @@ -0,0 +1,53 @@ +name: Feature Branch + +run-name: ${{ github.ref_name }} + +on: + push: + branches-ignore: + - main + +jobs: + static-analysis: + name: Static Analysis + uses: ./.github/workflows/static-analysis.yml + + build-and-push: + name: Build + uses: ./.github/workflows/build-and-push.yml + needs: linting-and-formatting + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + + deploy-dev: + name: Dev + uses: ./.github/workflows/deploy.yml + needs: build-and-push + with: + environment: dev + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} + + deploy-uat: + name: UAT + uses: ./.github/workflows/deploy.yml + needs: build-and-push + with: + environment: uat + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + KUBE_CERT: ${{ secrets.KUBE_CERT }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/workflow.yml b/.github/workflows/main-branch.yml similarity index 52% rename from .github/workflows/workflow.yml rename to .github/workflows/main-branch.yml index 7cf0dc4af..f875906f6 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/main-branch.yml @@ -1,19 +1,16 @@ -name: Build, Test and Deploy +name: Release run-name: ${{ github.ref_name }} -on: push +on: + push: + branches: + - main jobs: - linting-and-formatting: - name: Linting and Formatting - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: chartboost/ruff-action@v1 - with: - args: check --output-format=github - src: './src' + static-analysis: + name: Static Analysis + uses: ./.github/workflows/static-analysis.yml build-and-push: name: Build @@ -25,36 +22,6 @@ jobs: secrets: ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} - deploy-dev: - name: Dev - uses: ./.github/workflows/deploy.yml - needs: build-and-push - with: - environment: dev - ECR_REGION: ${{vars.ECR_REGION}} - ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} - secrets: - ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} - - deploy-uat: - name: UAT - uses: ./.github/workflows/deploy.yml - needs: build-and-push - with: - environment: uat - ECR_REGION: ${{vars.ECR_REGION}} - ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} - secrets: - ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} - KUBE_CERT: ${{ secrets.KUBE_CERT }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} - deploy-staging: name: Staging uses: ./.github/workflows/deploy.yml diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml new file mode 100644 index 000000000..b95b2c452 --- /dev/null +++ b/.github/workflows/static-analysis.yml @@ -0,0 +1,13 @@ +name: Static Analysis +on: workflow_call + +jobs: + lint: + name: Ruff + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: chartboost/ruff-action@v1 + with: + args: check --output-format=github + src: './src' \ No newline at end of file From c8c66289995183ebea3c00178c65fda9981e6419 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 10:56:40 +0100 Subject: [PATCH 35/98] Fixed typo --- .github/workflows/feature-branch.yml | 2 +- .github/workflows/main-branch.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index 264901c3a..a8fad26b9 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -14,7 +14,7 @@ jobs: build-and-push: name: Build - uses: ./.github/workflows/build-and-push.yml + uses: ./.github/workflows/build.yml needs: linting-and-formatting with: ECR_REGION: ${{vars.ECR_REGION}} diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml index f875906f6..f771ae42a 100644 --- a/.github/workflows/main-branch.yml +++ b/.github/workflows/main-branch.yml @@ -14,7 +14,7 @@ jobs: build-and-push: name: Build - uses: ./.github/workflows/build-and-push.yml + uses: ./.github/workflows/build.yml needs: linting-and-formatting with: ECR_REGION: ${{vars.ECR_REGION}} From 4485215543ec25d30b70f1a799b1aa7675b64596 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 10:57:18 +0100 Subject: [PATCH 36/98] Fixed typo --- .github/workflows/feature-branch.yml | 2 +- .github/workflows/main-branch.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index a8fad26b9..5203199b3 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -15,7 +15,7 @@ jobs: build-and-push: name: Build uses: ./.github/workflows/build.yml - needs: linting-and-formatting + needs: static-analysis with: ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml index f771ae42a..6ce6685b4 100644 --- a/.github/workflows/main-branch.yml +++ b/.github/workflows/main-branch.yml @@ -15,7 +15,7 @@ jobs: build-and-push: name: Build uses: ./.github/workflows/build.yml - needs: linting-and-formatting + needs: static-analysis with: ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} From 1fda27f4c3ffb7f5628214142f60243e2337f070 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 11:35:00 +0100 Subject: [PATCH 37/98] Add testing workflow --- .github/workflows/build.yml | 3 ++- .github/workflows/feature-branch.yml | 12 +++++++++++- .github/workflows/test.yml | 24 ++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b885eaa7f..50109fffc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,7 +37,8 @@ jobs: mask-password: true # Build and push a Docker image to the container repository - - run: | + - id: docker-build + run: | docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG env: diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index 5203199b3..39c44f258 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -12,6 +12,16 @@ jobs: name: Static Analysis uses: ./.github/workflows/static-analysis.yml + test: + name: Test + uses: ./.github/workflows/test.yml + needs: static-analysis + with: + ECR_REGION: ${{vars.ECR_REGION}} + ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} + secrets: + ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} + build-and-push: name: Build uses: ./.github/workflows/build.yml @@ -40,7 +50,7 @@ jobs: deploy-uat: name: UAT uses: ./.github/workflows/deploy.yml - needs: build-and-push + needs: [build-and-push, test] with: environment: uat ECR_REGION: ${{vars.ECR_REGION}} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..6058c6c69 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,24 @@ +name: Test + +on: workflow-call + +jobs: + test: + name: Pytest + steps: + - name: Checkout the repository + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + + - name: Test with pytest + run: | + pip install pytest pytest-cov + pytest tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html \ No newline at end of file From 1d8f5214b70888a0bcbd09aa65c239f768d27c59 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 11:36:07 +0100 Subject: [PATCH 38/98] Fixed typo --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6058c6c69..5ecf13e60 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,6 @@ name: Test -on: workflow-call +on: workflow_call jobs: test: From accd7ab44bc16857eafe60e5946bf2a9270635c6 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 11:37:02 +0100 Subject: [PATCH 39/98] Adds runs-on --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5ecf13e60..8bf9a5831 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,6 +5,7 @@ on: workflow_call jobs: test: name: Pytest + runs-on: ubuntu-latest steps: - name: Checkout the repository uses: actions/checkout@v4 From 150211e6e9d231f8f4eaf76f0308d221fbe3e921 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 11:37:38 +0100 Subject: [PATCH 40/98] Removed requirements --- .github/workflows/feature-branch.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index 39c44f258..b964bb7d9 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -16,11 +16,6 @@ jobs: name: Test uses: ./.github/workflows/test.yml needs: static-analysis - with: - ECR_REGION: ${{vars.ECR_REGION}} - ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} - secrets: - ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }} build-and-push: name: Build From c74561e563f060f249dffeb5ea5a8b79239f393f Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 11:43:05 +0100 Subject: [PATCH 41/98] Add test test --- test.py | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 test.py diff --git a/test.py b/test.py new file mode 100644 index 000000000..0723c2466 --- /dev/null +++ b/test.py @@ -0,0 +1,3 @@ +def test_coverage(): + # Test Pytest coverage + pass From 9d8e89061c6dc8abcec643c45d45073b2f401c52 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 11:44:17 +0100 Subject: [PATCH 42/98] Renamed tests --- test.py => tests.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename test.py => tests.py (100%) diff --git a/test.py b/tests.py similarity index 100% rename from test.py rename to tests.py From 7dc459c2b8f0fbd7a06bf8904c39708133fa9e74 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 11:53:51 +0100 Subject: [PATCH 43/98] Renamed Build and Push to ECR --- .github/workflows/build.yml | 2 +- .github/workflows/feature-branch.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 50109fffc..2ef4988b0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ on: jobs: build-and-push-to-ecr: - name: Build and Push to ECR + name: Build and Push runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index b964bb7d9..0ee18faae 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -15,7 +15,6 @@ jobs: test: name: Test uses: ./.github/workflows/test.yml - needs: static-analysis build-and-push: name: Build From d44c1c9226c851ab0b0f6ff99187107e0bbbffc0 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 12:02:37 +0100 Subject: [PATCH 44/98] Upload coverage results as an artifact --- .github/workflows/test.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8bf9a5831..df1b39f99 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,4 +22,12 @@ jobs: - name: Test with pytest run: | pip install pytest pytest-cov - pytest tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html \ No newline at end of file + pytest tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html + + - name: Upload pytest test results + uses: actions/upload-artifact@v4 + with: + name: pytest-results + path: junit/test-results.xml + # Use always() to always run this step to publish test results when there are test failures + if: ${{ always() }} \ No newline at end of file From 2d1c0b42c18a910b5c2829d55b355e856d196b17 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 12:09:54 +0100 Subject: [PATCH 45/98] Write coverage as comment --- .github/workflows/test.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index df1b39f99..9d889e028 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,11 @@ name: Test on: workflow_call +permissions: + contents: write + checks: write + pull-requests: write + jobs: test: name: Pytest @@ -22,12 +27,12 @@ jobs: - name: Test with pytest run: | pip install pytest pytest-cov - pytest tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html + pytest tests.py --doctest-modules --junitxml=pytest-coverage.txt --cov=com --cov-report=xml --cov-report=html - - name: Upload pytest test results - uses: actions/upload-artifact@v4 + - name: Pytest coverage comment + uses: MishaKav/pytest-coverage-comment@main with: - name: pytest-results - path: junit/test-results.xml + pytest-coverage-path: ./pytest-coverage.txt + junitxml-path: ./pytest.xml # Use always() to always run this step to publish test results when there are test failures if: ${{ always() }} \ No newline at end of file From bc3e34f5759ad3a903490006241e2131624950b5 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 12:11:51 +0100 Subject: [PATCH 46/98] Removed coverage report --- .github/workflows/test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9d889e028..f94618431 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,12 +27,11 @@ jobs: - name: Test with pytest run: | pip install pytest pytest-cov - pytest tests.py --doctest-modules --junitxml=pytest-coverage.txt --cov=com --cov-report=xml --cov-report=html + pytest tests.py --doctest-modules --junitxml=pytest.xml --cov=com --cov-report=xml --cov-report=html - name: Pytest coverage comment uses: MishaKav/pytest-coverage-comment@main with: - pytest-coverage-path: ./pytest-coverage.txt junitxml-path: ./pytest.xml # Use always() to always run this step to publish test results when there are test failures if: ${{ always() }} \ No newline at end of file From fab6c1b37bff17364c80623c66aa4d1e4b23e650 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 12:14:54 +0100 Subject: [PATCH 47/98] Revert back to using artifacts --- .github/workflows/test.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f94618431..488635de4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,11 +2,6 @@ name: Test on: workflow_call -permissions: - contents: write - checks: write - pull-requests: write - jobs: test: name: Pytest @@ -27,11 +22,12 @@ jobs: - name: Test with pytest run: | pip install pytest pytest-cov - pytest tests.py --doctest-modules --junitxml=pytest.xml --cov=com --cov-report=xml --cov-report=html + pytest tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html - - name: Pytest coverage comment - uses: MishaKav/pytest-coverage-comment@main + - name: Upload pytest test results + uses: actions/upload-artifact@v4 with: - junitxml-path: ./pytest.xml + name: pytest-results-${{ matrix.python-version }} + path: junit/test-results-${{ matrix.python-version }}.xml # Use always() to always run this step to publish test results when there are test failures if: ${{ always() }} \ No newline at end of file From 8c4e4b322553e808dfcdc92255abca536caab975 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 12:18:11 +0100 Subject: [PATCH 48/98] Updated deploy step --- .github/workflows/deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 3da9ca257..1930a8699 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -57,7 +57,7 @@ jobs: ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ - --set image.repository=$REPOSITORY \ - --set image.tag=$IMAGE_TAG \ + --set image.repository=${REPOSITORY} \ + --set image.tag=${IMAGE_TAG} \ --force \ --install From cfb2cba8744c5f08258b349257da862fe6587b62 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 12:20:25 +0100 Subject: [PATCH 49/98] Fixed typo --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 488635de4..df1b39f99 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,7 +27,7 @@ jobs: - name: Upload pytest test results uses: actions/upload-artifact@v4 with: - name: pytest-results-${{ matrix.python-version }} - path: junit/test-results-${{ matrix.python-version }}.xml + name: pytest-results + path: junit/test-results.xml # Use always() to always run this step to publish test results when there are test failures if: ${{ always() }} \ No newline at end of file From dad9f07da1a0b76765fe8649c8c332cdaae98ac6 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:12:19 +0100 Subject: [PATCH 50/98] Add names to Build steps --- .github/workflows/build.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2ef4988b0..a81f27a3f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,27 +21,27 @@ jobs: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout steps: - # Checkout GitHub repository - - uses: actions/checkout@v4 + - name: Checkout GitHub repository + uses: actions/checkout@v4 - # Assume role in Cloud Platform - - uses: aws-actions/configure-aws-credentials@v4 + - name: Assume role in Cloud Platform + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} aws-region: ${{ inputs.ECR_REGION }} - # Login to container repository - - uses: aws-actions/amazon-ecr-login@v2 + - name: Login to container repository + uses: aws-actions/amazon-ecr-login@v2 id: login-ecr with: mask-password: true - # Build and push a Docker image to the container repository - - id: docker-build + - name: Build and push a Docker image to the container repository + id: docker-build run: | docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - IMAGE_TAG: ${{ github.sha }} \ No newline at end of file + IMAGE_TAG: ${{ github.sha }} From f2c827f493d2e9f3e2b64a86c11f8e9030790ad9 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:12:38 +0100 Subject: [PATCH 51/98] Log into ECR during deploy step --- .github/workflows/deploy.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1930a8699..9829fe634 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -47,12 +47,24 @@ jobs: kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} kubectl config use-context ${KUBE_CLUSTER} + - name: Assume role in Cloud Platform + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} + aws-region: ${{ inputs.ECR_REGION }} + + - name: Login to container registry + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - name: Upgrade the Helm chart env: IMAGE_TAG: ${{ github.sha }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + REGISTRY: ${{ steps.login-ecr.outputs.registry }} HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" run: | + echo ${REGISTRY} helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ From 2d47a3913b30cb1c4dfd6de76e86d3e1369f3161 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:16:22 +0100 Subject: [PATCH 52/98] Use registry as the image repository --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 9829fe634..09b606d73 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -69,7 +69,7 @@ jobs: ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ - --set image.repository=${REPOSITORY} \ + --set image.repository=${REGISTRY} \ --set image.tag=${IMAGE_TAG} \ --force \ --install From e95d8e5190be9670c9503e2a20520c8669844d6b Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:31:29 +0100 Subject: [PATCH 53/98] Adds repository to the end of the registry URL --- .github/workflows/deploy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 09b606d73..8f91db1cb 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -63,13 +63,14 @@ jobs: REPOSITORY: ${{ inputs.ECR_REPOSITORY }} REGISTRY: ${{ steps.login-ecr.outputs.registry }} HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + TEAM_NAME: "laa-get-access" run: | echo ${REGISTRY} helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ - --set image.repository=${REGISTRY} \ + --set image.repository=${REGISTRY}/${REPOSITORY} \ --set image.tag=${IMAGE_TAG} \ --force \ --install From 8985404cdfd6010cf529773f55e34918ac6bba11 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:35:44 +0100 Subject: [PATCH 54/98] Remove pod security context --- helm_deploy/laa-access-civil-legal-aid/values.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 83e608cb5..45ca0a653 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -19,10 +19,7 @@ serviceAccount: podAnnotations: {} podLabels: {} -podSecurityContext: { - runAsNonRoot: true, - allowPrivilegeEscalation: false -} +podSecurityContext: {} securityContext: {} From 0173c594ceb72d873a209fb0e1b9b2118562175b Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:41:00 +0100 Subject: [PATCH 55/98] Make image run as non-root user --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index bee3c167c..05b55e602 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1 +1,2 @@ FROM python:3.12-slim +USER 1000 \ No newline at end of file From 1da0b1de6bf36b43b3432a76df56d2531a3d60f8 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:46:59 +0100 Subject: [PATCH 56/98] Added Hello World --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 05b55e602..94f663fbc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,2 +1,4 @@ FROM python:3.12-slim -USER 1000 \ No newline at end of file +USER 1000 + +CMD ["echo" "Hello World"] \ No newline at end of file From 76ed4967b2da3d3387640e16b8d1a31065ef2de8 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:47:11 +0100 Subject: [PATCH 57/98] Added podSecurityContext --- helm_deploy/laa-access-civil-legal-aid/values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 45ca0a653..b0336f391 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -19,7 +19,9 @@ serviceAccount: podAnnotations: {} podLabels: {} -podSecurityContext: {} +podSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false securityContext: {} From 007cb3f705c6bbe999ca224ec3ed525a7f39daae Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:49:29 +0100 Subject: [PATCH 58/98] Fixed typo --- Dockerfile | 2 +- helm_deploy/laa-access-civil-legal-aid/values.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 94f663fbc..afae51ab1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ FROM python:3.12-slim USER 1000 -CMD ["echo" "Hello World"] \ No newline at end of file +CMD ["echo", "Hello World"] \ No newline at end of file diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index b0336f391..a46ffaf6b 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -19,12 +19,12 @@ serviceAccount: podAnnotations: {} podLabels: {} -podSecurityContext: +podSecurityContext: {} + +securityContext: runAsNonRoot: true allowPrivilegeEscalation: false -securityContext: {} - service: type: ClusterIP port: 80 From f5d698d4cb8ca61cc75ce3db69bc9debef30c5ea Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 15:55:47 +0100 Subject: [PATCH 59/98] Added additional required securityContext --- .github/workflows/deploy.yml | 2 -- helm_deploy/laa-access-civil-legal-aid/values.yaml | 4 ++++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8f91db1cb..d587f8006 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -63,9 +63,7 @@ jobs: REPOSITORY: ${{ inputs.ECR_REPOSITORY }} REGISTRY: ${{ steps.login-ecr.outputs.registry }} HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" - TEAM_NAME: "laa-get-access" run: | - echo ${REGISTRY} helm upgrade laa-access-civil-legal-aid \ ${HELM_DIR} \ --namespace=${{ secrets.KUBE_NAMESPACE }} \ diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index a46ffaf6b..4f527b292 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -24,6 +24,10 @@ podSecurityContext: {} securityContext: runAsNonRoot: true allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] service: type: ClusterIP From 2feefe5755d28b70e5f58829c69fc74a595a4b14 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 16:10:30 +0100 Subject: [PATCH 60/98] Add a simple flask app --- Dockerfile | 21 ++++++++++++++++++- .../laa-access-civil-legal-aid/values.yaml | 2 +- requirements.in | 1 + 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 requirements.in diff --git a/Dockerfile b/Dockerfile index afae51ab1..ad373d644 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,23 @@ FROM python:3.12-slim USER 1000 -CMD ["echo", "Hello World"] \ No newline at end of file +# Set the working directory in the container +WORKDIR /usr/src/app + +# Create a non-root user +RUN adduser --disabled-password --gecos '' containeruser + +# Change ownership of the working directory to the non-root user +RUN chown -R containeruser:containeruser /usr/src/app + +# Install any needed dependencies +RUN pip install --no-cache-dir -r requirements.in + +# Switch to the non-root user +USER containeruser + +# Expose the Flask port +EXPOSE 8000 + +# Run the Flask application for development +CMD ["flask", "run", "--cert=adhoc"] \ No newline at end of file diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 4f527b292..581bd3ffb 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -27,7 +27,7 @@ securityContext: seccompProfile: type: RuntimeDefault capabilities: - drop: ["ALL"] + drop: ["ALL"] service: type: ClusterIP diff --git a/requirements.in b/requirements.in new file mode 100644 index 000000000..2077213c3 --- /dev/null +++ b/requirements.in @@ -0,0 +1 @@ +Flask \ No newline at end of file From 11413aa285e781afd976f8906a842b47a7aec0c1 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 16:12:12 +0100 Subject: [PATCH 61/98] Create user as root --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ad373d644..a052f4835 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ FROM python:3.12-slim -USER 1000 # Set the working directory in the container WORKDIR /usr/src/app From b59dad12c6f0f4047fd35897a7a4675a5fc35274 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 16:26:21 +0100 Subject: [PATCH 62/98] Add simple flask app --- Dockerfile | 11 ++++++++++- app.py | 8 ++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 app.py diff --git a/Dockerfile b/Dockerfile index a052f4835..498f8d56c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,8 @@ FROM python:3.12-slim +ENV FLASK_RUN_HOST=0.0.0.0 +ENV FLASK_RUN_PORT=8000 + # Set the working directory in the container WORKDIR /usr/src/app @@ -9,9 +12,15 @@ RUN adduser --disabled-password --gecos '' containeruser # Change ownership of the working directory to the non-root user RUN chown -R containeruser:containeruser /usr/src/app +# Copy the dependencies file to the working directory +COPY requirements.in ./ + # Install any needed dependencies RUN pip install --no-cache-dir -r requirements.in +# Copy the project code into the working directory +COPY . . + # Switch to the non-root user USER containeruser @@ -19,4 +28,4 @@ USER containeruser EXPOSE 8000 # Run the Flask application for development -CMD ["flask", "run", "--cert=adhoc"] \ No newline at end of file +CMD ["flask", "run"] \ No newline at end of file diff --git a/app.py b/app.py new file mode 100644 index 000000000..924d3eb22 --- /dev/null +++ b/app.py @@ -0,0 +1,8 @@ +from flask import Flask + +app = Flask(__name__) + + +@app.route("/") +def hello_world(): + return "

Hello, World!

" From 96e8f3c229488328aadefea7c4b6583732bd44aa Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 16:29:57 +0100 Subject: [PATCH 63/98] Use user 1000 --- Dockerfile | 5 +---- src/test.py | 0 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 src/test.py diff --git a/Dockerfile b/Dockerfile index 498f8d56c..532182723 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,9 +6,6 @@ ENV FLASK_RUN_PORT=8000 # Set the working directory in the container WORKDIR /usr/src/app -# Create a non-root user -RUN adduser --disabled-password --gecos '' containeruser - # Change ownership of the working directory to the non-root user RUN chown -R containeruser:containeruser /usr/src/app @@ -22,7 +19,7 @@ RUN pip install --no-cache-dir -r requirements.in COPY . . # Switch to the non-root user -USER containeruser +USER 1000 # Expose the Flask port EXPOSE 8000 diff --git a/src/test.py b/src/test.py deleted file mode 100644 index e69de29bb..000000000 From f739a9248fb114ae9dece9959ec3c705e9e2fca9 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 16:30:58 +0100 Subject: [PATCH 64/98] Re-add test.py --- src/test.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 src/test.py diff --git a/src/test.py b/src/test.py new file mode 100644 index 000000000..e69de29bb From acdc0edefb2ca22afa996f5ee2a7e7ff11e48ddf Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 16:32:42 +0100 Subject: [PATCH 65/98] Use numerical user ID --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 532182723..76edc60c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ENV FLASK_RUN_PORT=8000 WORKDIR /usr/src/app # Change ownership of the working directory to the non-root user -RUN chown -R containeruser:containeruser /usr/src/app +RUN chown -R 1000:1000 /usr/src/app # Copy the dependencies file to the working directory COPY requirements.in ./ From bfe4fc99ed13e40f92e08d23f26e3a71efae4d63 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 17:25:28 +0100 Subject: [PATCH 66/98] Enabled dev ingress --- helm_deploy/laa-access-civil-legal-aid/values.yaml | 2 +- .../laa-access-civil-legal-aid/values/values-dev.yaml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 581bd3ffb..381411542 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -30,7 +30,7 @@ securityContext: drop: ["ALL"] service: - type: ClusterIP + type: NodePort port: 80 ingress: diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml index 8f2139044..200bc108b 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -4,7 +4,12 @@ environment: "dev" ingress: - enabled: false + enabled: true + hosts: + - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" + paths: + - path: / + pathType: ImplementationSpecific # Lists don't deep merge, so this list of envVars overrides anything defined in an earlier values file envVars: From 8ebf77317b73a36ea5c4e10235a7dd976dc168b1 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 17:40:07 +0100 Subject: [PATCH 67/98] Always register service backend --- .../laa-access-civil-legal-aid/templates/ingress.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml index 23623ed13..7697f9db9 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -51,15 +51,10 @@ spec: pathType: {{ .pathType }} {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: name: {{ $fullName }} port: number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} {{- end }} {{- end }} {{- end }} From 7ebf11c8617de912e5fcf0916a5f020f6be91b30 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Thu, 16 May 2024 17:51:56 +0100 Subject: [PATCH 68/98] Always set path type --- helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml index 7697f9db9..ce1ec60b3 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -47,9 +47,7 @@ spec: paths: {{- range .paths }} - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: {{ .pathType }} - {{- end }} backend: service: name: {{ $fullName }} From 248bed2b25515bc152a18ee44319e4639aa8303a Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 13:51:48 +0100 Subject: [PATCH 69/98] Changed service to use ClusterIP and added TLS host --- helm_deploy/laa-access-civil-legal-aid/values.yaml | 2 +- helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 381411542..581bd3ffb 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -30,7 +30,7 @@ securityContext: drop: ["ALL"] service: - type: NodePort + type: ClusterIP port: 80 ingress: diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml index 200bc108b..ec39c9deb 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -5,6 +5,9 @@ environment: "dev" ingress: enabled: true + tls: + - hosts: + - "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" hosts: - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" paths: From 8b680786ff04e75f34c8448e13b889cf8918a729 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 14:12:11 +0100 Subject: [PATCH 70/98] Set a default ingress ClassName --- helm_deploy/laa-access-civil-legal-aid/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index 581bd3ffb..ab0fe7fe9 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -35,7 +35,7 @@ service: ingress: enabled: false - className: "" + className: "default" annotations: {} cluster: name: green From 14568badee28cf563529fe6497344c6df03636f9 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 14:30:39 +0100 Subject: [PATCH 71/98] Changed service targetPort to 8000 --- helm_deploy/laa-access-civil-legal-aid/templates/service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml index bddc98272..7ac76ffee 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml @@ -8,7 +8,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: http + targetPort: 8000 protocol: TCP name: http selector: From 9061261cfda802847ca5e9b55080111d84530894 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 14:34:47 +0100 Subject: [PATCH 72/98] Reverted targetPort --- helm_deploy/laa-access-civil-legal-aid/templates/service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml index 7ac76ffee..bddc98272 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/service.yaml @@ -8,7 +8,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: 8000 + targetPort: http protocol: TCP name: http selector: From f268e7625a209d135d6b5f8298ff8c451821ecd4 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 14:49:41 +0100 Subject: [PATCH 73/98] Change container port to 8000 --- .../laa-access-civil-legal-aid/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml index 7cd2cda18..b497beff1 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml @@ -38,7 +38,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: {{ .Values.service.port }} + containerPort: 8000 protocol: TCP livenessProbe: httpGet: From 221f8b19874510878fa6f457cbef47da4ea81437 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 15:12:32 +0100 Subject: [PATCH 74/98] containerPort is now set in values --- .../laa-access-civil-legal-aid/templates/deployment.yaml | 2 +- helm_deploy/laa-access-civil-legal-aid/values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml index b497beff1..f38f67858 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml @@ -38,7 +38,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 8000 + containerPort: {{ .Values.image.containerPort }} protocol: TCP livenessProbe: httpGet: diff --git a/helm_deploy/laa-access-civil-legal-aid/values.yaml b/helm_deploy/laa-access-civil-legal-aid/values.yaml index ab0fe7fe9..18e3096c2 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values.yaml @@ -7,6 +7,7 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: latest + containerPort: 8000 imagePullSecrets: [] nameOverride: "" From 1711aea29f4fffc180ec8af0f269a3ac89e1934d Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 15:27:39 +0100 Subject: [PATCH 75/98] Added dev deploy --- .github/workflows/deploy-dev.yml | 79 +++++++++++++++++++ .github/workflows/deploy.yml | 2 +- .github/workflows/feature-branch.yml | 2 +- .../values/values-dev.yaml | 3 - 4 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/deploy-dev.yml diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml new file mode 100644 index 000000000..fcc6ff4af --- /dev/null +++ b/.github/workflows/deploy-dev.yml @@ -0,0 +1,79 @@ +name: Deploy image to the dev environment +on: + workflow_call: + inputs: + environment: + required: true + type: string + ECR_REGION: + required: true + type: string + ECR_REPOSITORY: + required: true + type: string + secrets: + ECR_ROLE_TO_ASSUME: + required: true + KUBE_CERT: + required: true + KUBE_CLUSTER: + required: true + KUBE_NAMESPACE: + required: true + KUBE_TOKEN: + required: true + + +jobs: + deploy: + name: Deploy + environment: ${{ inputs.environment }} + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Checkout GitHub repository + uses: actions/checkout@v4 + + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Assume role in Cloud Platform + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} + aws-region: ${{ inputs.ECR_REGION }} + + - name: Login to container registry + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Upgrade the Helm chart + env: + IMAGE_TAG: ${{ github.sha }} + REPOSITORY: ${{ inputs.ECR_REPOSITORY }} + REGISTRY: ${{ steps.login-ecr.outputs.registry }} + HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" + DEV_HOST: "access-cla.cloud-platform.service.justice.gov.uk" + run: | + export CLEANED_BRANCH_NAME=$(echo ${{ github.ref_name }}}} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + + helm upgrade ${CLEANED_BRANCH_NAME} \ + ${HELM_DIR} \ + --namespace=${{ secrets.KUBE_NAMESPACE }} \ + --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ + --set image.repository=${REGISTRY}/${REPOSITORY} \ + --set image.tag=${IMAGE_TAG} \ + --set fullnameOverride=${CLEANED_BRANCH_NAME} + --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}-${DEV_HOST} + --force \ + --install diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d587f8006..59a85ddab 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,4 +1,4 @@ -name: Deploy image to the dev environment +name: Deploy to a Cloud Platform environment on: workflow_call: inputs: diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index 0ee18faae..f2000706f 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -28,7 +28,7 @@ jobs: deploy-dev: name: Dev - uses: ./.github/workflows/deploy.yml + uses: ./.github/workflows/deploy-dev.yml needs: build-and-push with: environment: dev diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml index ec39c9deb..200bc108b 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -5,9 +5,6 @@ environment: "dev" ingress: enabled: true - tls: - - hosts: - - "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" hosts: - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" paths: From c66678dafd5722909db9250f57fca6b6e5b9ec48 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 15:32:01 +0100 Subject: [PATCH 76/98] Fixed typo --- .github/workflows/deploy-dev.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index fcc6ff4af..8847da9ef 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -65,7 +65,7 @@ jobs: HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" DEV_HOST: "access-cla.cloud-platform.service.justice.gov.uk" run: | - export CLEANED_BRANCH_NAME=$(echo ${{ github.ref_name }}}} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + export CLEANED_BRANCH_NAME=$(echo ${{ github.ref_name }} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') helm upgrade ${CLEANED_BRANCH_NAME} \ ${HELM_DIR} \ From 0a67b8d5ee393141394dde0e1b94f92fc3121e43 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 15:37:47 +0100 Subject: [PATCH 77/98] Added additional \ --- .github/workflows/deploy-dev.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index 8847da9ef..52a262a4a 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -73,7 +73,7 @@ jobs: --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \ --set image.repository=${REGISTRY}/${REPOSITORY} \ --set image.tag=${IMAGE_TAG} \ - --set fullnameOverride=${CLEANED_BRANCH_NAME} - --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}-${DEV_HOST} + --set fullnameOverride=${CLEANED_BRANCH_NAME} \ + --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}-${DEV_HOST} \ --force \ --install From 803623666c44696caed02ed0eb71d6ff22914048 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 15:52:59 +0100 Subject: [PATCH 78/98] Shortened URL octet --- .github/workflows/deploy-dev.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index 52a262a4a..d2118a2db 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -74,6 +74,6 @@ jobs: --set image.repository=${REGISTRY}/${REPOSITORY} \ --set image.tag=${IMAGE_TAG} \ --set fullnameOverride=${CLEANED_BRANCH_NAME} \ - --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}-${DEV_HOST} \ + --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ --force \ --install From 51213740e23c7bffb08aa9a2ba785b20a071c9fa Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 22:09:25 +0100 Subject: [PATCH 79/98] Added TLS to dev --- .github/workflows/deploy-dev.yml | 1 + helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index d2118a2db..33c0fc3a6 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -75,5 +75,6 @@ jobs: --set image.tag=${IMAGE_TAG} \ --set fullnameOverride=${CLEANED_BRANCH_NAME} \ --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ + --set tls.hosts[0]=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ --force \ --install diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml index 200bc108b..ec39c9deb 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -5,6 +5,9 @@ environment: "dev" ingress: enabled: true + tls: + - hosts: + - "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" hosts: - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" paths: From 49e5d3dbe271910beb9ad7f88fa8175de3abce1a Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 22:24:54 +0100 Subject: [PATCH 80/98] Added clean up release workflow --- .github/workflows/cleanup-release.yml | 34 +++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/cleanup-release.yml diff --git a/.github/workflows/cleanup-release.yml b/.github/workflows/cleanup-release.yml new file mode 100644 index 000000000..109bf8a5f --- /dev/null +++ b/.github/workflows/cleanup-release.yml @@ -0,0 +1,34 @@ +# Uninstalls the dev helm chart when a PR is merged, or closed +name: Clean up the dev release when the PR is closed + +run-name: Clean up ${{ github.ref_name }} + +on: + pull_request: + types: + - closed + +jobs: + clean-up-release: + name: Clean up release + environment: dev + runs-on: ubuntu-latest + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + steps: + - name: Authenticate to the cluster + env: + KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} + KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} + run: | + echo "${{ secrets.KUBE_CERT }}" > ca.crt + kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} + kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} + kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} + kubectl config use-context ${KUBE_CLUSTER} + + - name: Uninstall the helm chart + run: | + export CLEANED_BRANCH_NAME=$(echo ${{ github.ref_name }} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + helm uninstall ${CLEANED_BRANCH_NAME} From 9eaf671f1d81cc87f17a09d6ae7eafb2c1764424 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 22:29:11 +0100 Subject: [PATCH 81/98] Use head_ref rather than ref_name --- .github/workflows/cleanup-release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cleanup-release.yml b/.github/workflows/cleanup-release.yml index 109bf8a5f..02f27269b 100644 --- a/.github/workflows/cleanup-release.yml +++ b/.github/workflows/cleanup-release.yml @@ -1,7 +1,7 @@ # Uninstalls the dev helm chart when a PR is merged, or closed -name: Clean up the dev release when the PR is closed +name: Clean up the dev release -run-name: Clean up ${{ github.ref_name }} +run-name: Clean up ${{ github.head_ref }} on: pull_request: @@ -30,5 +30,5 @@ jobs: - name: Uninstall the helm chart run: | - export CLEANED_BRANCH_NAME=$(echo ${{ github.ref_name }} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + export CLEANED_BRANCH_NAME=$(echo ${{ github.head_ref }} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') helm uninstall ${CLEANED_BRANCH_NAME} From 6f82c9bf37344979efeadf855b44167e0daa0bd5 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 22:33:56 +0100 Subject: [PATCH 82/98] Redeploy to dev when PR is reopened --- .github/workflows/feature-branch.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index f2000706f..46e467060 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -6,6 +6,9 @@ on: push: branches-ignore: - main + pull_request: + types: + - reopened jobs: static-analysis: From 90323d19a09059b31e7691937d8ef12d3cc115f0 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 22:44:24 +0100 Subject: [PATCH 83/98] Improved method of getting branch name --- .github/workflows/cleanup-release.yml | 7 +++++-- .github/workflows/deploy-dev.yml | 4 +++- .github/workflows/feature-branch.yml | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cleanup-release.yml b/.github/workflows/cleanup-release.yml index 02f27269b..49b226c76 100644 --- a/.github/workflows/cleanup-release.yml +++ b/.github/workflows/cleanup-release.yml @@ -1,7 +1,7 @@ # Uninstalls the dev helm chart when a PR is merged, or closed name: Clean up the dev release -run-name: Clean up ${{ github.head_ref }} +run-name: Clean up ${{ github.head_ref || github.ref_name }} on: pull_request: @@ -29,6 +29,9 @@ jobs: kubectl config use-context ${KUBE_CLUSTER} - name: Uninstall the helm chart + env: + # head_ref is set if the workflow was triggered by a PR, ref_name is used if the workflow was trigged by a push. + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} run: | - export CLEANED_BRANCH_NAME=$(echo ${{ github.head_ref }} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') helm uninstall ${CLEANED_BRANCH_NAME} diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index 33c0fc3a6..efe48f494 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -64,8 +64,10 @@ jobs: REGISTRY: ${{ steps.login-ecr.outputs.registry }} HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" DEV_HOST: "access-cla.cloud-platform.service.justice.gov.uk" + # head_ref is set if the workflow was triggered by a PR, ref_name is used if the workflow was trigged by a push. + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} run: | - export CLEANED_BRANCH_NAME=$(echo ${{ github.ref_name }} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') helm upgrade ${CLEANED_BRANCH_NAME} \ ${HELM_DIR} \ diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index 46e467060..a35c3be1c 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -1,6 +1,6 @@ name: Feature Branch -run-name: ${{ github.ref_name }} +run-name: ${{ github.head_ref || github.ref_name }} on: push: From 9695f3cd1046645e3b1a353b62109587bd20a9cf Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 23:06:13 +0100 Subject: [PATCH 84/98] Use self-hosted runner --- .github/workflows/build.yml | 2 +- .github/workflows/cleanup-release.yml | 4 ++-- .github/workflows/deploy-dev.yml | 2 +- .github/workflows/deploy.yml | 2 +- .github/workflows/static-analysis.yml | 2 +- .github/workflows/test.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a81f27a3f..482b93a85 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ on: jobs: build-and-push-to-ecr: name: Build and Push - runs-on: ubuntu-latest + runs-on: self-hosted permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/cleanup-release.yml b/.github/workflows/cleanup-release.yml index 49b226c76..1548c6af2 100644 --- a/.github/workflows/cleanup-release.yml +++ b/.github/workflows/cleanup-release.yml @@ -10,9 +10,9 @@ on: jobs: clean-up-release: - name: Clean up release + name: Uninstall Helm chart environment: dev - runs-on: ubuntu-latest + runs-on: self-hosted permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index efe48f494..eb4277e24 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -28,7 +28,7 @@ jobs: deploy: name: Deploy environment: ${{ inputs.environment }} - runs-on: ubuntu-latest + runs-on: self-hosted permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 59a85ddab..c6e9b1ff4 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -28,7 +28,7 @@ jobs: deploy: name: Deploy environment: ${{ inputs.environment }} - runs-on: ubuntu-latest + runs-on: self-hosted permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index b95b2c452..486041bcf 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -4,7 +4,7 @@ on: workflow_call jobs: lint: name: Ruff - runs-on: ubuntu-latest + runs-on: self-hosted steps: - uses: actions/checkout@v4 - uses: chartboost/ruff-action@v1 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index df1b39f99..c182138f0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,7 +5,7 @@ on: workflow_call jobs: test: name: Pytest - runs-on: ubuntu-latest + runs-on: self-hosted steps: - name: Checkout the repository uses: actions/checkout@v4 From 86000e3998587b780c4b1f7642fd75447925b72b Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 23:07:38 +0100 Subject: [PATCH 85/98] Runs static analysis on ubuntu-latest --- .github/workflows/static-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 486041bcf..b95b2c452 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -4,7 +4,7 @@ on: workflow_call jobs: lint: name: Ruff - runs-on: self-hosted + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: chartboost/ruff-action@v1 From 09ff300f322facc6ff879c771eaff19b40a74e52 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 23:09:58 +0100 Subject: [PATCH 86/98] Revert "Use self-hosted runner" This reverts commit 9695f3cd1046645e3b1a353b62109587bd20a9cf. --- .github/workflows/build.yml | 2 +- .github/workflows/cleanup-release.yml | 4 ++-- .github/workflows/deploy-dev.yml | 2 +- .github/workflows/deploy.yml | 2 +- .github/workflows/test.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 482b93a85..a81f27a3f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ on: jobs: build-and-push-to-ecr: name: Build and Push - runs-on: self-hosted + runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/cleanup-release.yml b/.github/workflows/cleanup-release.yml index 1548c6af2..49b226c76 100644 --- a/.github/workflows/cleanup-release.yml +++ b/.github/workflows/cleanup-release.yml @@ -10,9 +10,9 @@ on: jobs: clean-up-release: - name: Uninstall Helm chart + name: Clean up release environment: dev - runs-on: self-hosted + runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index eb4277e24..efe48f494 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -28,7 +28,7 @@ jobs: deploy: name: Deploy environment: ${{ inputs.environment }} - runs-on: self-hosted + runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c6e9b1ff4..59a85ddab 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -28,7 +28,7 @@ jobs: deploy: name: Deploy environment: ${{ inputs.environment }} - runs-on: self-hosted + runs-on: ubuntu-latest permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c182138f0..df1b39f99 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,7 +5,7 @@ on: workflow_call jobs: test: name: Pytest - runs-on: self-hosted + runs-on: ubuntu-latest steps: - name: Checkout the repository uses: actions/checkout@v4 From 51fca4ee7e4b1777cb8829aebb949219fbfcae88 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 23:16:29 +0100 Subject: [PATCH 87/98] Set correct dev TLS URL --- .github/workflows/deploy-dev.yml | 2 +- helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index efe48f494..4e7b48485 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -77,6 +77,6 @@ jobs: --set image.tag=${IMAGE_TAG} \ --set fullnameOverride=${CLEANED_BRANCH_NAME} \ --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ - --set tls.hosts[0]=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ + --set tls.hosts[0].host=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ --force \ --install diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml index ec39c9deb..aad075bfd 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -7,7 +7,7 @@ ingress: enabled: true tls: - hosts: - - "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" + - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" hosts: - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" paths: From a8fcaa3e8381736765ca1dc76843904d7671e506 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Fri, 17 May 2024 23:27:04 +0100 Subject: [PATCH 88/98] Change how TLS host is set --- .github/workflows/deploy-dev.yml | 2 +- helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index 4e7b48485..14333fe40 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -77,6 +77,6 @@ jobs: --set image.tag=${IMAGE_TAG} \ --set fullnameOverride=${CLEANED_BRANCH_NAME} \ --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ - --set tls.hosts[0].host=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ + --set ingress.tls[0].hosts[0]=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ --force \ --install diff --git a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml index aad075bfd..ec39c9deb 100644 --- a/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/values/values-dev.yaml @@ -7,7 +7,7 @@ ingress: enabled: true tls: - hosts: - - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" + - "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" hosts: - host: "access-civil-legal-aid-dev.cloud-platform.service.justice.gov.uk" paths: From 31ba41469d5dbade9507c66b6c4d21a98c06f8db Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sat, 18 May 2024 17:02:06 +0100 Subject: [PATCH 89/98] Use single octet for dev URL --- .github/workflows/deploy-dev.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index 14333fe40..2b72e7db4 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -68,6 +68,7 @@ jobs: BRANCH_NAME: ${{ github.head_ref || github.ref_name }} run: | export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//') + export HOST_NAME=${CLEANED_BRANCH_NAME}-${DEV_HOST} helm upgrade ${CLEANED_BRANCH_NAME} \ ${HELM_DIR} \ @@ -76,7 +77,7 @@ jobs: --set image.repository=${REGISTRY}/${REPOSITORY} \ --set image.tag=${IMAGE_TAG} \ --set fullnameOverride=${CLEANED_BRANCH_NAME} \ - --set ingress.hosts[0].host=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ - --set ingress.tls[0].hosts[0]=${CLEANED_BRANCH_NAME}.${DEV_HOST} \ + --set ingress.hosts[0].host=${HOST_NAME} \ + --set ingress.tls[0].hosts[0]=${HOST_NAME} \ --force \ --install From 4269d522763412903d16137d545b3ce4ca3a9d32 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sun, 19 May 2024 14:25:22 +0100 Subject: [PATCH 90/98] Remove unnecessary version checks --- .../laa-access-civil-legal-aid/templates/ingress.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml index ce1ec60b3..a2338ce06 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -6,13 +6,7 @@ {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} {{- end }} {{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: name: {{ $fullName }} From 34f67e1a4f8545d5bace7eb1fc72323614e0cbef Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sun, 19 May 2024 14:59:01 +0100 Subject: [PATCH 91/98] Temporarily allow main branch workflow to run from this feature branch --- .github/workflows/main-branch.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml index 6ce6685b4..ea96e33af 100644 --- a/.github/workflows/main-branch.yml +++ b/.github/workflows/main-branch.yml @@ -6,6 +6,7 @@ on: push: branches: - main + - feature/LGA-3086-ci-cd-setup jobs: static-analysis: From ae24ac171049401760f7a6e0331e06724a7a0414 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sun, 19 May 2024 15:03:09 +0100 Subject: [PATCH 92/98] Added test step to main branch workflow --- .github/workflows/main-branch.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml index ea96e33af..1442818f2 100644 --- a/.github/workflows/main-branch.yml +++ b/.github/workflows/main-branch.yml @@ -13,10 +13,14 @@ jobs: name: Static Analysis uses: ./.github/workflows/static-analysis.yml + test: + name: Test + uses: ./.github/workflows/test.yml + build-and-push: name: Build uses: ./.github/workflows/build.yml - needs: static-analysis + needs: [static-analysis, test] with: ECR_REGION: ${{vars.ECR_REGION}} ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}} @@ -26,7 +30,6 @@ jobs: deploy-staging: name: Staging uses: ./.github/workflows/deploy.yml - if: github.ref == 'refs/heads/master' needs: build-and-push with: environment: staging @@ -42,7 +45,6 @@ jobs: deploy-production: name: Production uses: ./.github/workflows/deploy.yml - if: github.ref == 'refs/heads/master' needs: deploy-staging with: environment: production From 8bf9cb897973bc8b3bc6b73ed35aa75d5addda51 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sun, 19 May 2024 15:05:21 +0100 Subject: [PATCH 93/98] Added Release/ Feature tag to run names --- .github/workflows/feature-branch.yml | 2 +- .github/workflows/main-branch.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index a35c3be1c..a28eea085 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -1,6 +1,6 @@ name: Feature Branch -run-name: ${{ github.head_ref || github.ref_name }} +run-name: Feature - ${{ github.head_ref || github.ref_name }} on: push: diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml index 1442818f2..4af54f2bf 100644 --- a/.github/workflows/main-branch.yml +++ b/.github/workflows/main-branch.yml @@ -1,6 +1,6 @@ name: Release -run-name: ${{ github.ref_name }} +run-name: Release - ${{ github.ref_name }} on: push: From 0cdff1c21304e4394fc3004d3fc20feb408fe0f9 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sun, 19 May 2024 15:37:39 +0100 Subject: [PATCH 94/98] Add VPN whitelist to ingress --- helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl | 4 ++++ helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml | 1 + 2 files changed, 5 insertions(+) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl b/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl index 290868b96..32a3aad65 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl +++ b/helm_deploy/laa-access-civil-legal-aid/templates/_helpers.tpl @@ -23,6 +23,10 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{- define "laa-access-civil-legal-aid.whitelist" -}} +{{ join "," .Values.ingress.whitelist }} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml index a2338ce06..ff7ea2417 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -16,6 +16,7 @@ metadata: {{- if .Values.ingress.cluster.name }} external-dns.alpha.kubernetes.io/set-identifier: "{{ $fullName }}-{{ .Release.Namespace }}-{{- .Values.ingress.cluster.name -}}" external-dns.alpha.kubernetes.io/aws-weight: "{{- .Values.ingress.cluster.weight -}}" + nginx.ingress.kubernetes.io/whitelist-source-range: "{{ include "laa-access-civil-legal-aid.whitelist" . }}" {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} From ef19c78bdb9e1801b83bff283f6e8dccfb209fd3 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sun, 19 May 2024 15:52:06 +0100 Subject: [PATCH 95/98] Removed temporary ability for the feature branch to push to staging and main --- .github/workflows/main-branch.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml index 4af54f2bf..fc1474b1d 100644 --- a/.github/workflows/main-branch.yml +++ b/.github/workflows/main-branch.yml @@ -6,7 +6,6 @@ on: push: branches: - main - - feature/LGA-3086-ci-cd-setup jobs: static-analysis: From debea38ec5687a7f69d680e1b6c614256dbf56f0 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Sun, 19 May 2024 16:32:21 +0100 Subject: [PATCH 96/98] Added trailing blank line to EOF --- .github/workflows/feature-branch.yml | 2 +- .github/workflows/static-analysis.yml | 2 +- .github/workflows/test.yml | 2 +- requirements.in | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml index a28eea085..d337d460f 100644 --- a/.github/workflows/feature-branch.yml +++ b/.github/workflows/feature-branch.yml @@ -57,4 +57,4 @@ jobs: KUBE_CERT: ${{ secrets.KUBE_CERT }} KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} \ No newline at end of file + KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }} diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index b95b2c452..c281a783b 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -10,4 +10,4 @@ jobs: - uses: chartboost/ruff-action@v1 with: args: check --output-format=github - src: './src' \ No newline at end of file + src: './src' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index df1b39f99..afebd1f71 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,4 +30,4 @@ jobs: name: pytest-results path: junit/test-results.xml # Use always() to always run this step to publish test results when there are test failures - if: ${{ always() }} \ No newline at end of file + if: ${{ always() }} diff --git a/requirements.in b/requirements.in index 2077213c3..e3e9a71d9 100644 --- a/requirements.in +++ b/requirements.in @@ -1 +1 @@ -Flask \ No newline at end of file +Flask From 9024ed52c39ce0f99ad8be4fba416db987efe8af Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Tue, 21 May 2024 22:03:14 +0100 Subject: [PATCH 97/98] Uses environment variable to get the ECR Registry --- .github/workflows/deploy-dev.yml | 12 +----------- .github/workflows/deploy.yml | 12 +----------- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index 2b72e7db4..f46bd5741 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -47,21 +47,11 @@ jobs: kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} kubectl config use-context ${KUBE_CLUSTER} - - name: Assume role in Cloud Platform - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} - aws-region: ${{ inputs.ECR_REGION }} - - - name: Login to container registry - id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 - - name: Upgrade the Helm chart env: IMAGE_TAG: ${{ github.sha }} + REGISTRY: ${{ secrets.ECR_REGISTRY }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - REGISTRY: ${{ steps.login-ecr.outputs.registry }} HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" DEV_HOST: "access-cla.cloud-platform.service.justice.gov.uk" # head_ref is set if the workflow was triggered by a PR, ref_name is used if the workflow was trigged by a push. diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 59a85ddab..e5e31dc25 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -47,21 +47,11 @@ jobs: kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE} kubectl config use-context ${KUBE_CLUSTER} - - name: Assume role in Cloud Platform - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }} - aws-region: ${{ inputs.ECR_REGION }} - - - name: Login to container registry - id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 - - name: Upgrade the Helm chart env: IMAGE_TAG: ${{ github.sha }} + REGISTRY: ${{ secrets.ECR_REGISTRY }} REPOSITORY: ${{ inputs.ECR_REPOSITORY }} - REGISTRY: ${{ steps.login-ecr.outputs.registry }} HELM_DIR: "helm_deploy/laa-access-civil-legal-aid" run: | helm upgrade laa-access-civil-legal-aid \ From daebd24335c5d6a1c634d5cfcd11ece2b4034bd3 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Tue, 21 May 2024 22:19:56 +0100 Subject: [PATCH 98/98] Removed unused deployment boiler plate --- .../templates/deployment.yaml | 22 ------------------- .../templates/ingress.yaml | 2 -- 2 files changed, 24 deletions(-) diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml index f38f67858..0ebaa1138 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/deployment.yaml @@ -48,25 +48,3 @@ spec: httpGet: path: / port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.volumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml index ff7ea2417..82ec81bcc 100644 --- a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml +++ b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml @@ -22,9 +22,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} - {{- end }} {{- if .Values.ingress.tls }} tls: {{- range .Values.ingress.tls }}